Mailbox App Allows HTML Emails to Execute Javascript [Video]

Security researcher Michele Spagnuolo has posted blog entry revealing that the Mailbox app executes any Javascript which is present in the body of HTML emails.

This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploitation framework, potentially much worse things. The app also loads external images without offering an option to disable this behavior.

A spokesperson for the app told Ars Technica that a patch will likely be available before the end of the day.

"As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS," representatives wrote in a statement. "That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon."